Attributes TransientID and uid not released
Nate Klingenstein
ndk at internet2.edu
Tue Jul 30 12:28:03 EDT 2013
Gilles,
I think this is normal behavior. The transientId should not be sent as an attribute, but instead as a NameID in your assertions. Your log messages are consistent with that occurring. Is there something that makes you believe the SP is not receiving a transient name identifier in the Subject of the SAML assertion?
See down further in your logs:
11:57:48.653 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:541] - Retaining attribute transientId which may be encoded to via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
11:57:48.653 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:566] - Filtering out potential name identifier attributes which do not support one of the following formats: [urn:oasis:names:tc:SAML:2.0:nameid-format:transient]
11:57:48.654 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:868] - Using attribute 'transientId' supporting NameID format 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' to create the NameID for relying party 'https://sp.testshib.org/shibboleth-sp'
Thanks,
Nate.
On Jul 30, 2013, at 15:51 , Gilles Badouet wrote:
> Hi all,
>
> All my configured attributes are released apart from TransientID and uid.
> Does the TransientID has anything to do with uid (username)?
>
> The debug line seemed to be related to that issue is:
> DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:263] -Attribute transientId was not encoded (filtered by query, or no SAML2AttributeEncoder attached).
>
> Below is my transiendId attribute in attribute-resolver.xml:
> <resolver:AttributeDefinition id="transientId" xsi:type="ad:TransientId">
> <resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier" nameFormat="urn:mace:shibboleth:1.0:nameIdentifier"/>
> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
> </resolver:AttributeDefinition>
>
> And in attribute-filter.xml
> <afp:AttributeFilterPolicy id="releaseTransientIdToAnyone">
> <afp:PolicyRequirementRule xsi:type="basic:ANY"/>
> <afp:AttributeRule attributeID="transientId">
> <afp:PermitValueRule xsi:type="basic:ANY"/>
> </afp:AttributeRule>
> </afp:AttributeFilterPolicy>
>
>
>
>
>
>
>
>
> Kind regards
>
>
> Gilles Rubens Badouet
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list